The purpose of Cyber Security Challenge UK is simply stated – "to bring more talented people into the Cyber Security Profession." The worldwide problem is well-documented – a severe shortage of cyber security specialists.
Cyber Security Challenge UK seeks to address this through a series of challenge competitions in which contestants, not currently in the profession, pit their wits against each other and pre-defined security problems.The purpose is to attract and identify talented individuals, and help and persuade them to move into cyber security.
In the latest round of the competitions, sponsored by PwC and Symantec, the winning eight contestants have now booked their place at the Cyber Security Challenge Masterclass 2014. The task set was to use their skills to access a shop’s back office applications and data sources to collect credit card numbers and to identify an external hacker responsible for a scam that could entitle them to free coffee for life.
The first-place winner was Aaron Devaney, a 38 year-old software developer from Leeds. Infosecurity spoke to Devaney and Andrew Miller, cyber security director at PwC, to better understand the purpose and effect of the Cyber Security Challenge.
Devaney has been a software developer for 15 years, and it was through dealing with the results of penetration tests that he first became more interested in security per se. "I got to grips with it, and taught myself the ins and outs of what the root causes of the test failures were. When I started doing the cyber challenge, that opened up a whole new world – a lot of things I wouldn't have come across as a developer – general security, wireless security and so on."
The problem, however, is that the leap from established IT developer to cyber security specialist is not an easy one. "When I looked at the cyber security roles on the job boards, I found that even the junior roles – which would have involved a considerable cut in salary – were still looking for several years of security experience."
There are, then, two inhibitors to filling the security gap. Firstly, the education system is not producing new entrants who can fill those junior roles straight from college and make a career in security; and secondly, it is difficult for established people to enter security mid-stream. Miller explained that the Cyber Security Challenge UK organization is addressing both sides of the problem: "A schools outreach program and other things the government is doing, is bringing cyber security into the school agenda. When youngsters are looking at what they want as a career, cyber security specialist is not currently a front of mind option. Our schools program seeks to change that."
But that's too late for established professionals like Devaney – and that's what the Challenge is for. "What the challenge does," explained Miller, "is provide a vehicle for people like Aaron to transition from cyber security aware to cyber security specialist. Experience and qualifications are generally required – but this is a way of jumping across the boundary while it exists."
Devaney himself is not currently looking beyond the Masterclass event. In the long term he hopes to make that jump, but "a lot of it's resting," he says, "on what happens in the Masterclass." Companies are not yet queuing at his door with security job offers. But the hope and purpose of the Cyber Security Challenge is that after the Masterclass, the talented finalists such as Aaron Devaney will be able to take their certificates as proof of security excellence, and start to fill the security gap.